int main(int argc, char *argv[])
{
argmap_t argmap;
argmap["c"] = "2";
argmap["k"] = "80";
argmap["L"] = "20";
argmap["m"] = "0";
argmap["n"] = "0";
// get parameters from the command line
if (!parseArgs(argc, argv, argmap)) usage(argv[0]);
long c = atoi(argmap["c"]);
long k = atoi(argmap["k"]);
long L = atoi(argmap["L"]);
long chosen_m = atoi(argmap["m"]);
long n = atoi(argmap["n"]);
long w = 64; // Hamming weight of secret key
// long L = z*R; // number of levels
long m = FindM(k, L, c, 2, 1, 0, chosen_m, true);
setTimersOn();
TestIt(c, k, w, L, m, n);
cerr << endl;
printAllTimers();
cerr << endl;
}
int main(int argc, char *argv[])
{
argmap_t argmap;
argmap["R"] = "1";
argmap["p"] = "2";
argmap["r"] = "1";
argmap["d"] = "1";
argmap["c"] = "2";
argmap["k"] = "80";
argmap["L"] = "0";
argmap["s"] = "0";
argmap["m"] = "0";
argmap["repeat"] = "1";
// get parameters from the command line
if (!parseArgs(argc, argv, argmap)) usage(argv[0]);
long R = atoi(argmap["R"]);
long p = atoi(argmap["p"]);
long r = atoi(argmap["r"]);
long d = atoi(argmap["d"]);
long c = atoi(argmap["c"]);
long k = atoi(argmap["k"]);
// long z = atoi(argmap["z"]);
long L = atoi(argmap["L"]);
if (L==0) { // determine L based on R,r
L = 3*R+3;
if (p>2 || r>1) { // add some more primes for each round
long addPerRound = 2*ceil(log((double)p)*r*3)/(log(2.0)*NTL_SP_NBITS) +1;
L += R * addPerRound;
}
}
long s = atoi(argmap["s"]);
long chosen_m = atoi(argmap["m"]);
long repeat = atoi(argmap["repeat"]);
long w = 64; // Hamming weight of secret key
// long L = z*R; // number of levels
long m = FindM(k, L, c, p, d, s, chosen_m, true);
setTimersOn();
for (long repeat_cnt = 0; repeat_cnt < repeat; repeat_cnt++) {
TestIt(R, p, r, d, c, k, w, L, m);
}
}
int main(int argc, char *argv[])
{
if (argc<2) {
cout << "\nUsage: " << argv[0] << " L [c=2 w=64 k=80 d=1]" << endl;
cout << " L is the number of levels\n";
cout << " optional c is number of columns in the key-switching matrices (default=2)\n";
cout << " optional w is Hamming weight of the secret key (default=64)\n";
cout << " optional k is the security parameter (default=80)\n";
cout << " optional d specifies GF(2^d) arithmetic (default=1, must be <=16)\n";
// cout << " k is the security parameter\n";
// cout << " m determines the ring mod Phi_m(X)" << endl;
cout << endl;
exit(0);
}
cout.unsetf(ios::floatfield);
cout.precision(4);
long L = atoi(argv[1]);
long c = 2;
long w = 64;
long k = 80;
long d = 1;
if (argc>2) c = atoi(argv[2]);
if (argc>3) w = atoi(argv[3]);
if (argc>4) k = atoi(argv[4]);
if (argc>5) d = atoi(argv[5]);
if (d>16) Error("d cannot be larger than 16\n");
cout << "\nTesting FHE with parameters L="<<L
<< ", c="<<c<<", w="<<w<<", k="<<k<<", d="<<d<< endl;
// get a lower-bound on the parameter N=phi(m):
// 1. Empirically, we use ~20-bit small primes in the modulus chain (the main
// constraints is that 2m must divide p-1 for every prime p). The first
// prime is larger, a 40-bit prime. (If this is a 32-bit machine then we
// use two 20-bit primes instead.)
// 2. With L levels, the largest modulus for "fresh ciphertexts" has size
// q0 ~ p0 * p^{L} ~ 2^{40+20L}
// 3. We break each ciphertext into upto c digits, do each digit is as large
// as D=2^{(40+20L)/c}
// 4. The added noise variance term from the key-switching operation is
// c*N*sigma^2*D^2, and this must be mod-switched down to w*N (so it is
// on part with the added noise from modulus-switching). Hence the ratio
// P that we use for mod-switching must satisfy c*N*sigma^2*D^2/P^2<w*N,
// or P > sqrt(c/w) * sigma * 2^{(40+20L)/c}
// 5. With this extra P factor, the key-switching matrices are defined
// relative to a modulus of size
// Q0 = q0*P ~ sqrt{c/w} sigma 2^{(40+20L)(1+1/c)}
// 6. To get k-bit security we need N>log(Q0/sigma)(k+110)/7.2, i.e. roughly
// N > (40+20L)(1+1/c)(k+110) / 7.2
long ptxtSpace = 2;
double cc = 1.0+(1.0/(double)c);
long N = (long) ceil((pSize*L+p0Size)*cc*(k+110)/7.2);
cout << " bounding phi(m) > " << N << endl;
#if 0 // A small m for debugging purposes
long m = 15;
#else
// pre-computed values of [phi(m),m,d]
long ms[][4] = {
//phi(m) m ord(2) c_m*1000
{ 1176, 1247, 28, 3736},
{ 1936, 2047, 11, 3870},
{ 2880, 3133, 24, 3254},
{ 4096, 4369, 16, 3422},
{ 5292, 5461, 14, 4160},
{ 5760, 8435, 24, 8935},
{ 8190, 8191, 13, 1273},
{10584, 16383, 14, 8358},
{10752, 11441, 48, 3607},
{12000, 13981, 20, 2467},
{11520, 15665, 24, 14916},
{14112, 18415, 28, 11278},
{15004, 15709, 22, 3867},
{15360, 20485, 24, 12767},
// {16384, 21845, 16, 12798},
{17208 ,21931, 24, 18387},
{18000, 18631, 25, 4208},
{18816, 24295, 28, 16360},
{19200, 21607, 40, 35633},
{21168, 27305, 28, 15407},
{23040, 23377, 48, 5292},
{24576, 24929, 48, 5612},
{27000, 32767, 15, 20021},
{31104, 31609, 71, 5149},
{42336, 42799, 21, 5952},
{46080, 53261, 24, 33409},
{49140, 57337, 39, 2608},
{51840, 59527, 72, 21128},
{61680, 61681, 40, 1273},
{65536, 65537, 32, 1273},
{75264, 82603, 56, 36484},
{84672, 92837, 56, 38520}
};
#if 0
for (long i = 0; i < 25; i++) {
long m = ms[i][1];
PAlgebra alg(m);
alg.printout();
cout << "\n";
// compute phi(m) directly
long phim = 0;
for (long j = 0; j < m; j++)
if (GCD(j, m) == 1) phim++;
if (phim != alg.phiM()) cout << "ERROR\n";
}
exit(0);
#endif
// find the first m satisfying phi(m)>=N and d | ord(2) in Z_m^*
long m = 0;
for (unsigned i=0; i<sizeof(ms)/sizeof(long[3]); i++)
if (ms[i][0]>=N && (ms[i][2] % d) == 0) {
m = ms[i][1];
c_m = 0.001 * (double) ms[i][3];
break;
}
if (m==0) Error("Cannot support this L,d combination");
#endif
// m = 257;
FHEcontext context(m);
#if 0
context.stdev = to_xdouble(0.5); // very low error
#endif
activeContext = &context; // Mark this as the "current" context
context.zMstar.printout();
cout << endl;
// Set the modulus chain
#if 1
// The first 1-2 primes of total p0size bits
#if (NTL_SP_NBITS > p0Size)
AddPrimesByNumber(context, 1, 1UL<<p0Size); // add a single prime
#else
AddPrimesByNumber(context, 2, 1UL<<(p0Size/2)); // add two primes
#endif
#endif
// The next L primes, as small as possible
AddPrimesByNumber(context, L);
ZZ productOfCtxtPrimes = context.productOfPrimes(context.ctxtPrimes);
double productSize = context.logOfProduct(context.ctxtPrimes);
// might as well test that the answer is roughly correct
cout << " context.logOfProduct(...)-log(context.productOfPrimes(...)) = "
<< productSize-log(productOfCtxtPrimes) << endl;
// calculate the size of the digits
context.digits.resize(c);
IndexSet s1;
#if 0
for (long i=0; i<c-1; i++) context.digits[i] = IndexSet(i,i);
context.digits[c-1] = context.ctxtPrimes / IndexSet(0,c-2);
AddPrimesByNumber(context, 2, 1, true);
#else
double sizeSoFar = 0.0;
double maxDigitSize = 0.0;
if (c>1) { // break ciphetext into a few digits
double dsize = productSize/c; // initial estimate
double target = dsize-(pSize/3.0);
long idx = context.ctxtPrimes.first();
for (long i=0; i<c-1; i++) { // compute next digit
IndexSet s;
while (idx <= context.ctxtPrimes.last() && sizeSoFar < target) {
s.insert(idx);
sizeSoFar += log((double)context.ithPrime(idx));
idx = context.ctxtPrimes.next(idx);
}
context.digits[i] = s;
s1.insert(s);
double thisDigitSize = context.logOfProduct(s);
if (maxDigitSize < thisDigitSize) maxDigitSize = thisDigitSize;
cout << " digit #"<<i+1<< " " <<s << ": size " << thisDigitSize << endl;
target += dsize;
}
IndexSet s = context.ctxtPrimes / s1; // all the remaining primes
context.digits[c-1] = s;
double thisDigitSize = context.logOfProduct(s);
if (maxDigitSize < thisDigitSize) maxDigitSize = thisDigitSize;
cout << " digit #"<<c<< " " <<s << ": size " << thisDigitSize << endl;
}
else {
maxDigitSize = context.logOfProduct(context.ctxtPrimes);
context.digits[0] = context.ctxtPrimes;
}
// Add primes to the chain for the P factor of key-switching
double sizeOfSpecialPrimes
= maxDigitSize + log(c/(double)w)/2 + log(context.stdev *2);
AddPrimesBySize(context, sizeOfSpecialPrimes, true);
#endif
cout << "* ctxtPrimes: " << context.ctxtPrimes
<< ", log(q0)=" << context.logOfProduct(context.ctxtPrimes) << endl;
cout << "* specialPrimes: " << context.specialPrimes
<< ", log(P)=" << context.logOfProduct(context.specialPrimes) << endl;
for (long i=0; i<context.numPrimes(); i++) {
cout << " modulus #" << i << " " << context.ithPrime(i) << endl;
}
cout << endl;
setTimersOn();
const ZZX& PhimX = context.zMstar.PhimX(); // The polynomial Phi_m(X)
long phim = context.zMstar.phiM(); // The integer phi(m)
FHESecKey secretKey(context);
const FHEPubKey& publicKey = secretKey;
#if 0 // Debug mode: use sk=1,2
DoubleCRT newSk(to_ZZX(2), context);
long id1 = secretKey.ImportSecKey(newSk, 64, ptxtSpace);
newSk -= 1;
long id2 = secretKey.ImportSecKey(newSk, 64, ptxtSpace);
#else
long id1 = secretKey.GenSecKey(w,ptxtSpace); // A Hamming-weight-w secret key
long id2 = secretKey.GenSecKey(w,ptxtSpace); // A second Hamming-weight-w secret key
#endif
ZZX zero = to_ZZX(0);
// Ctxt zeroCtxt(publicKey);
/******************************************************************/
/** TESTS BEGIN HERE ***/
/******************************************************************/
cout << "ptxtSpace = " << ptxtSpace << endl;
GF2X G; // G is the AES polynomial, G(X)= X^8 +X^4 +X^3 +X +1
SetCoeff(G,8); SetCoeff(G,4); SetCoeff(G,3); SetCoeff(G,1); SetCoeff(G,0);
GF2X X;
SetX(X);
#if 1
// code for rotations...
{
GF2X::HexOutput = 1;
const PAlgebra& al = context.zMstar;
const PAlgebraModTwo& al2 = context.modTwo;
long ngens = al.numOfGens();
long nslots = al.NSlots();
DoubleCRT tmp(context);
vector< vector< DoubleCRT > > maskTable;
maskTable.resize(ngens);
for (long i = 0; i < ngens; i++) {
if (i==0 && al.SameOrd(i)) continue;
long ord = al.OrderOf(i);
maskTable[i].resize(ord+1, tmp);
for (long j = 0; j <= ord; j++) {
// initialize the mask that is 1 whenever
// the ith coordinate is at least j
vector<GF2X> maps, alphas, betas;
al2.mapToSlots(maps, G); // Change G to X to get bits in the slots
alphas.resize(nslots);
for (long k = 0; k < nslots; k++)
if (coordinate(al, i, k) >= j)
alphas[k] = 1;
else alphas[k] = 0;
GF2X ptxt;
al2.embedInSlots(ptxt, alphas, maps);
// Sanity-check, make sure that encode/decode works as expected
al2.decodePlaintext(betas, ptxt, G, maps);
for (long k = 0; k < nslots; k++) {
if (alphas[k] != betas[k]) {
cout << " Mask computation failed, i="<<i<<", j="<<j<<"\n";
return 0;
}
}
maskTable[i][j] = to_ZZX(ptxt);
}
}
vector<GF2X> maps;
al2.mapToSlots(maps, G);
vector<GF2X> alphas(nslots);
for (long i=0; i < nslots; i++)
random(alphas[i], 8); // random degree-7 polynomial mod 2
for (long amt = 0; amt < 20; amt++) {
cout << ".";
GF2X ptxt;
al2.embedInSlots(ptxt, alphas, maps);
DoubleCRT pp(context);
pp = to_ZZX(ptxt);
rotate(pp, amt, maskTable);
GF2X ptxt1 = to_GF2X(to_ZZX(pp));
vector<GF2X> betas;
al2.decodePlaintext(betas, ptxt1, G, maps);
for (long i = 0; i < nslots; i++) {
if (alphas[i] != betas[(i+amt)%nslots]) {
cout << " amt="<<amt<<" oops\n";
return 0;
}
}
}
cout << "\n";
#if 0
long ord0 = al.OrderOf(0);
for (long i = 0; i < nslots; i++) {
cout << alphas[i] << " ";
if ((i+1) % (nslots/ord0) == 0) cout << "\n";
}
cout << "\n\n";
cout << betas.size() << "\n";
for (long i = 0; i < nslots; i++) {
cout << betas[i] << " ";
if ((i+1) % (nslots/ord0) == 0) cout << "\n";
}
#endif
return 0;
}
#endif
// an initial sanity check on noise estimates,
// comparing the estimated variance to the actual average
cout << "pk:"; checkCiphertext(publicKey.pubEncrKey, zero, secretKey);
ZZX ptxt[6]; // first four are plaintext, last two are constants
std::vector<Ctxt> ctxt(4, Ctxt(publicKey));
// Initialize the plaintext and constants to random 0-1 polynomials
for (size_t j=0; j<6; j++) {
ptxt[j].rep.SetLength(phim);
for (long i = 0; i < phim; i++)
ptxt[j].rep[i] = RandomBnd(ptxtSpace);
ptxt[j].normalize();
if (j<4) {
publicKey.Encrypt(ctxt[j], ptxt[j], ptxtSpace);
cout << "c"<<j<<":"; checkCiphertext(ctxt[j], ptxt[j], secretKey);
}
}
// perform upto 2L levels of computation, each level computing:
// 1. c0 += c1
// 2. c1 *= c2 // L1' = max(L1,L2)+1
// 3. c1.reLinearlize
// 4. c2 *= p4
// 5. c2.automorph(k) // k is the first generator of Zm^* /(2)
// 6. c2.reLinearlize
// 7. c3 += p5
// 8. c3 *= c0 // L3' = max(L3,L0,L1)+1
// 9. c2 *= c3 // L2' = max(L2,L0+1,L1+1,L3+1)+1
// 10. c0 *= c0 // L0' = max(L0,L1)+1
// 11. c0.reLinearlize
// 12. c2.reLinearlize
// 13. c3.reLinearlize
//
// The levels of the four ciphertexts behave as follows:
// 0, 0, 0, 0 => 1, 1, 2, 1 => 2, 3, 3, 2
// => 4, 4, 5, 4 => 5, 6, 6, 5
// => 7, 7, 8, 7 => 8,,9, 9, 10 => [...]
//
// We perform the same operations on the plaintext, and after each operation
// we check that decryption still works, and print the curretn modulus and
// noise estimate. We stop when we get the first decryption error, or when
// we reach 2L levels (which really should not happen).
zz_pContext zzpc;
zz_p::init(ptxtSpace);
zzpc.save();
const zz_pXModulus F = to_zz_pX(PhimX);
long g = context.zMstar.ZmStarGen(0); // the first generator in Zm*
zz_pX x2g(g, 1);
zz_pX p2;
// generate a key-switching matrix from s(X^g) to s(X)
secretKey.GenKeySWmatrix(/*powerOfS= */ 1,
/*powerOfX= */ g,
0, 0,
/*ptxtSpace=*/ ptxtSpace);
// generate a key-switching matrix from s^2 to s
secretKey.GenKeySWmatrix(/*powerOfS= */ 2,
/*powerOfX= */ 1,
0, 0,
/*ptxtSpace=*/ ptxtSpace);
// generate a key-switching matrix from s^3 to s
secretKey.GenKeySWmatrix(/*powerOfS= */ 3,
/*powerOfX= */ 1,
0, 0,
/*ptxtSpace=*/ ptxtSpace);
for (long lvl=0; lvl<2*L; lvl++) {
cout << "=======================================================\n";
ctxt[0] += ctxt[1];
ptxt[0] += ptxt[1];
PolyRed(ptxt[0], ptxtSpace, true);
cout << "c0+=c1: "; checkCiphertext(ctxt[0], ptxt[0], secretKey);
ctxt[1].multiplyBy(ctxt[2]);
ptxt[1] = (ptxt[1] * ptxt[2]) % PhimX;
PolyRed(ptxt[1], ptxtSpace, true);
cout << "c1*=c2: "; checkCiphertext(ctxt[1], ptxt[1], secretKey);
ctxt[2].multByConstant(ptxt[4]);
ptxt[2] = (ptxt[2] * ptxt[4]) % PhimX;
PolyRed(ptxt[2], ptxtSpace, true);
cout << "c2*=p4: "; checkCiphertext(ctxt[2], ptxt[2], secretKey);
ctxt[2] >>= g;
zzpc.restore();
p2 = to_zz_pX(ptxt[2]);
CompMod(p2, p2, x2g, F);
ptxt[2] = to_ZZX(p2);
cout << "c2>>="<<g<<":"; checkCiphertext(ctxt[2], ptxt[2], secretKey);
ctxt[2].reLinearize();
cout << "c2.relin:"; checkCiphertext(ctxt[2], ptxt[2], secretKey);
ctxt[3].addConstant(ptxt[5]);
ptxt[3] += ptxt[5];
PolyRed(ptxt[3], ptxtSpace, true);
cout << "c3+=p5: "; checkCiphertext(ctxt[3], ptxt[3], secretKey);
ctxt[3].multiplyBy(ctxt[0]);
ptxt[3] = (ptxt[3] * ptxt[0]) % PhimX;
PolyRed(ptxt[3], ptxtSpace, true);
cout << "c3*=c0: "; checkCiphertext(ctxt[3], ptxt[3], secretKey);
ctxt[0].square();
ptxt[0] = (ptxt[0] * ptxt[0]) % PhimX;
PolyRed(ptxt[0], ptxtSpace, true);
cout << "c0*=c0: "; checkCiphertext(ctxt[0], ptxt[0], secretKey);
ctxt[2].multiplyBy(ctxt[3]);
ptxt[2] = (ptxt[2] * ptxt[3]) % PhimX;
PolyRed(ptxt[2], ptxtSpace, true);
cout << "c2*=c3: "; checkCiphertext(ctxt[2], ptxt[2], secretKey);
}
/******************************************************************/
/** TESTS END HERE ***/
/******************************************************************/
cout << endl;
return 0;
}
void TestIt(long idx, long p, long r, long L, long c, long skHwt, int build_cache=0)
{
Vec<long> mvec;
vector<long> gens;
vector<long> ords;
long phim = mValues[idx][1];
long m = mValues[idx][2];
assert(GCD(p, m) == 1);
append(mvec, mValues[idx][4]);
if (mValues[idx][5]>1) append(mvec, mValues[idx][5]);
if (mValues[idx][6]>1) append(mvec, mValues[idx][6]);
gens.push_back(mValues[idx][7]);
if (mValues[idx][8]>1) gens.push_back(mValues[idx][8]);
if (mValues[idx][9]>1) gens.push_back(mValues[idx][9]);
ords.push_back(mValues[idx][10]);
if (abs(mValues[idx][11])>1) ords.push_back(mValues[idx][11]);
if (abs(mValues[idx][12])>1) ords.push_back(mValues[idx][12]);
if (!noPrint) {
cout << "*** TestIt";
if (isDryRun()) cout << " (dry run)";
cout << ": p=" << p
<< ", r=" << r
<< ", L=" << L
<< ", t=" << skHwt
<< ", c=" << c
<< ", m=" << m
<< " (=" << mvec << "), gens="<<gens<<", ords="<<ords
<< endl;
cout << "Computing key-independent tables..." << std::flush;
}
setTimersOn();
setDryRun(false); // Need to get a "real context" to test bootstrapping
double t = -GetTime();
FHEcontext context(m, p, r, gens, ords);
if (scale) {
context.scale = scale;
}
context.zMStar.set_cM(mValues[idx][13]/100.0);
buildModChain(context, L, c, /*willBeBootstrappable=*/true);
if (!noPrint) {
std::cout << "security=" << context.securityLevel()<<endl;
std::cout << "# small primes = " << context.smallPrimes.card() << "\n";
std::cout << "# ctxt primes = " << context.ctxtPrimes.card() << "\n";
std::cout << "# bits in ctxt primes = "
<< long(context.logOfProduct(context.ctxtPrimes)/log(2.0) + 0.5) << "\n";
std::cout << "# special primes = " << context.specialPrimes.card() << "\n";
std::cout << "# bits in special primes = "
<< long(context.logOfProduct(context.specialPrimes)/log(2.0) + 0.5) << "\n";
std::cout << "scale=" << context.scale<<endl;
}
context.makeBootstrappable(mvec,/*t=*/skHwt,build_cache,/*alsoThick=*/false);
// save time...disable some fat boot precomputation
t += GetTime();
//if (skHwt>0) context.rcData.skHwt = skHwt;
if (!noPrint) {
cout << " done in "<<t<<" seconds\n";
cout << " e=" << context.rcData.e
<< ", e'=" << context.rcData.ePrime
<< ", a="<< context.rcData.a
<< ", t=" << context.rcData.skHwt
<< "\n ";
context.zMStar.printout();
}
setDryRun(dry); // Now we can set the dry-run flag if desired
long p2r = context.alMod.getPPowR();
for (long numkey=0; numkey<OUTER_REP; numkey++) { // test with 3 keys
t = -GetTime();
if (!noPrint) cout << "Generating keys, " << std::flush;
FHESecKey secretKey(context);
secretKey.GenSecKey(64); // A Hamming-weight-64 secret key
addSome1DMatrices(secretKey); // compute key-switching matrices that we need
addFrbMatrices(secretKey);
if (!noPrint) cout << "computing key-dependent tables..." << std::flush;
secretKey.genRecryptData();
t += GetTime();
if (!noPrint) cout << " done in "<<t<<" seconds\n";
FHEPubKey publicKey = secretKey;
long d = context.zMStar.getOrdP();
long phim = context.zMStar.getPhiM();
long nslots = phim/d;
// GG defines the plaintext space Z_p[X]/GG(X)
ZZX GG;
GG = context.alMod.getFactorsOverZZ()[0];
EncryptedArray ea(context, GG);
if (debug) {
dbgKey = &secretKey;
dbgEa = &ea;
}
zz_p::init(p2r);
Vec<zz_p> val0(INIT_SIZE, nslots);
for (auto& x: val0)
random(x);
vector<ZZX> val1;
val1.resize(nslots);
for (long i = 0; i < nslots; i++) {
val1[i] = conv<ZZX>(conv<ZZ>(rep(val0[i])));
}
vector<ZZX> val_const1;
val_const1.resize(nslots);
for (long i = 0; i < nslots; i++) {
val_const1[i] = 1;
}
Ctxt c1(publicKey);
ea.encrypt(c1, publicKey, val1);
Ctxt c2(c1);
if (!noPrint) CheckCtxt(c2, "before recryption");
publicKey.thinReCrypt(c2);
if (!noPrint) CheckCtxt(c2, "after recryption");
vector<ZZX> val2;
ea.decrypt(c2, secretKey, val2);
if (val1 == val2)
cout << "GOOD\n";
else
cout << "BAD\n";
}
}
void TestIt(long m, long p, long r, long d, long L, long bnd, long B)
{
cout << "*** TestIt" << (isDryRun()? "(dry run):" : ":")
<< " m=" << m
<< ", p=" << p
<< ", r=" << r
<< ", d=" << d
<< ", L=" << L
<< ", bnd=" << bnd
<< ", B=" << B
<< endl;
setTimersOn();
FHEcontext context(m, p, r);
buildModChain(context, L, /*c=*/2);
context.zMStar.printout();
cout << endl;
FHESecKey secretKey(context);
const FHEPubKey& publicKey = secretKey;
secretKey.GenSecKey(/*w=*/64); // A Hamming-weight-w secret key
ZZX G;
if (d == 0)
G = context.alMod.getFactorsOverZZ()[0];
else
G = makeIrredPoly(p, d);
cout << "G = " << G << "\n";
cout << "generating key-switching matrices... ";
addSome1DMatrices(secretKey); // compute key-switching matrices that we need
cout << "done\n";
cout << "computing masks and tables for rotation...";
EncryptedArray ea(context, G);
cout << "done\n";
PlaintextArray xp0(ea), xp1(ea);
xp0.random();
xp1.random();
Ctxt xc0(publicKey);
ea.encrypt(xc0, publicKey, xp0);
ZZX poly_xp1;
ea.encode(poly_xp1, xp1);
cout << "** Testing replicate():\n";
bool error = false;
Ctxt xc1 = xc0;
CheckCtxt(xc1, "before replicate");
replicate(ea, xc1, ea.size()/2);
if (!check_replicate(xc1, xc0, ea.size()/2, secretKey, ea)) error = true;
CheckCtxt(xc1, "after replicate");
// Get some timing results
for (long i=0; i<20 && i<ea.size(); i++) {
xc1 = xc0;
FHE_NTIMER_START(replicate);
replicate(ea, xc1, i);
if (!check_replicate(xc1, xc0, i, secretKey, ea)) error = true;
FHE_NTIMER_STOP(replicate);
}
cout << " Replicate test " << (error? "failed :(\n" : "succeeded :)")
<< endl<< endl;
printAllTimers();
cout << "\n** Testing replicateAll()... " << std::flush;
#ifdef DEBUG_PRINTOUT
replicateVerboseFlag = true;
#else
replicateVerboseFlag = false;
#endif
error = false;
ReplicateTester *handler = new ReplicateTester(secretKey, ea, xp0, B);
try {
FHE_NTIMER_START(replicateAll);
replicateAll(ea, xc0, handler, bnd);
}
catch (StopReplicate) {
}
cout << (handler->error? "failed :(\n" : "succeeded :)")
<< ", total time=" << handler->t_total << " ("
<< ((B>0)? B : ea.size())
<< " vectors)\n";
delete handler;
}
int main(int argc, char *argv[])
{
argmap_t argmap;
argmap["test"] = "1";
argmap["m"] = "4369";
argmap["p"] = "2";
argmap["r"] = "1";
argmap["depth"] = "5";
argmap["L"] = "0";
argmap["ord1"] = "30";
argmap["ord2"] = "0";
argmap["ord3"] = "0";
argmap["ord4"] = "0";
argmap["good1"] = "1";
argmap["good2"] = "1";
argmap["good3"] = "1";
argmap["good4"] = "1";
argmap["dry"] = "0";
argmap["noPrint"] = "1";
// get parameters from the command line
if (!parseArgs(argc, argv, argmap)) usage(argv[0]);
long test = atoi(argmap["test"]);
long p = atoi(argmap["p"]);
long r = atoi(argmap["r"]);
long m = atoi(argmap["m"]);
long depth = atoi(argmap["depth"]);
long L = atoi(argmap["L"]);
long ord1 = atoi(argmap["ord1"]);
long ord2 = atoi(argmap["ord2"]);
long ord3 = atoi(argmap["ord3"]);
long ord4 = atoi(argmap["ord4"]);
long good1 = atoi(argmap["good1"]);
long good2 = atoi(argmap["good2"]);
long good3 = atoi(argmap["good3"]);
long good4 = atoi(argmap["good4"]);
bool dry = atoi(argmap["dry"]);
noPrint = atoi(argmap["noPrint"]);
setDryRun(dry);
if (test==0 || dry!=0) {
Vec<GenDescriptor> vec;
long nGens;
if (ord2<=1) nGens=1;
else if (ord3<=1) nGens=2;
else if (ord4<=1) nGens=3;
else nGens=4;
vec.SetLength(nGens);
switch (nGens) {
case 4: vec[3] = GenDescriptor(ord4, good4, /*genIdx=*/3);
case 3: vec[2] = GenDescriptor(ord3, good3, /*genIdx=*/2);
case 2: vec[1] = GenDescriptor(ord2, good2, /*genIdx=*/1);
default: vec[0] = GenDescriptor(ord1, good1, /*genIdx=*/0);
}
if (!noPrint) {
cout << "***Testing ";
if (isDryRun()) cout << "(dry run) ";
for (long i=0; i<vec.length(); i++)
cout << "("<<vec[i].order<<","<<vec[i].good<<")";
cout << ", depth="<<depth<<"\n";
}
testCube(vec, depth);
}
else {
setTimersOn();
if (!noPrint)
cout << "***Testing m="<<m<<", p="<<p<<", depth="<<depth<< endl;
testCtxt(m,p,depth,L,r);
}
}
void TestIt(long p, long r, long c, long _k, long w,
long L, Vec<long>& mvec,
Vec<long>& gens, Vec<long>& ords, long useCache)
{
if (lsize(mvec)<1) { // use default values
mvec.SetLength(3); gens.SetLength(3); ords.SetLength(3);
mvec[0] = 7; mvec[1] = 3; mvec[2] = 221;
gens[0] = 3979; gens[1] = 3095; gens[2] = 3760;
ords[0] = 6; ords[1] = 2; ords[2] = -8;
}
if (!noPrint)
cout << "*** TestIt"
<< (dry? " (dry run):" : ":")
<< " p=" << p
<< ", r=" << r
<< ", c=" << c
<< ", k=" << _k
<< ", w=" << w
<< ", L=" << L
<< ", mvec=" << mvec << ", "
<< ", useCache = " << useCache
<< endl;
setTimersOn();
setDryRun(false); // Need to get a "real context" to test ThinEvalMap
// mvec is supposed to include the prime-power factorization of m
long nfactors = mvec.length();
for (long i = 0; i < nfactors; i++)
for (long j = i+1; j < nfactors; j++)
assert(GCD(mvec[i], mvec[j]) == 1);
// multiply all the prime powers to get m itself
long m = computeProd(mvec);
assert(GCD(p, m) == 1);
// build a context with these generators and orders
vector<long> gens1, ords1;
convert(gens1, gens);
convert(ords1, ords);
FHEcontext context(m, p, r, gens1, ords1);
buildModChain(context, L, c);
if (!noPrint) {
context.zMStar.printout(); // print structure of Zm* /(p) to cout
cout << endl;
}
long d = context.zMStar.getOrdP();
long phim = context.zMStar.getPhiM();
long nslots = phim/d;
setDryRun(dry); // Now we can set the dry-run flag if desired
FHESecKey secretKey(context);
const FHEPubKey& publicKey = secretKey;
secretKey.GenSecKey(w); // A Hamming-weight-w secret key
addSome1DMatrices(secretKey); // compute key-switching matrices that we need
addFrbMatrices(secretKey); // compute key-switching matrices that we need
// GG defines the plaintext space Z_p[X]/GG(X)
ZZX GG;
GG = context.alMod.getFactorsOverZZ()[0];
EncryptedArray ea(context, GG);
zz_p::init(context.alMod.getPPowR());
Vec<zz_p> val0(INIT_SIZE, nslots);
for (auto& x: val0)
random(x);
vector<ZZX> val1;
val1.resize(nslots);
for (long i = 0; i < nslots; i++) {
val1[i] = conv<ZZX>(conv<ZZ>(rep(val0[i])));
}
Ctxt ctxt(publicKey);
ea.encrypt(ctxt, publicKey, val1);
resetAllTimers();
FHE_NTIMER_START(ALL);
// Compute homomorphically the transformation that takes the
// coefficients packed in the slots and produces the polynomial
// corresponding to cube
if (!noPrint) CheckCtxt(ctxt, "init");
if (!noPrint) cout << "build ThinEvalMap\n";
ThinEvalMap map(ea, /*minimal=*/false, mvec,
/*invert=*/false, /*build_cache=*/false);
// compute the transformation to apply
if (!noPrint) cout << "apply ThinEvalMap\n";
if (useCache) map.upgrade();
map.apply(ctxt); // apply the transformation to ctxt
if (!noPrint) CheckCtxt(ctxt, "ThinEvalMap");
if (!noPrint) cout << "check results\n";
if (!noPrint) cout << "build ThinEvalMap\n";
ThinEvalMap imap(ea, /*minimal=*/false, mvec,
/*invert=*/true, /*build_cache=*/false);
// compute the transformation to apply
if (!noPrint) cout << "apply ThinEvalMap\n";
if (useCache) imap.upgrade();
imap.apply(ctxt); // apply the transformation to ctxt
if (!noPrint) {
CheckCtxt(ctxt, "ThinEvalMap");
cout << "check results\n";
}
#if 1
/* create dirty version of ctxt */
Vec<zz_pX> dirty_val0;
dirty_val0.SetLength(nslots);
for (long i = 0; i < nslots; i++) {
random(dirty_val0[i], d);
SetCoeff(dirty_val0[i], 0, val0[i]);
}
vector<ZZX> dirty_val1;
dirty_val1.resize(nslots);
for (long i = 0; i < nslots; i++) {
dirty_val1[i] = conv<ZZX>(dirty_val0[i]);
}
Ctxt dirty_ctxt(publicKey);
ea.encrypt(dirty_ctxt, publicKey, dirty_val1);
EvalMap dirty_map(ea, /*minimal=*/false, mvec,
/*invert=*/false, /*build_cache=*/false);
dirty_map.apply(dirty_ctxt);
imap.apply(dirty_ctxt);
#endif
vector<ZZX> val2;
ea.decrypt(ctxt, secretKey, val2);
if (val1 == val2)
cout << "ThinEvalMap: GOOD\n";
else
cout << "ThinEvalMap: BAD\n";
#if 1
vector<ZZX> dirty_val2;
ea.decrypt(dirty_ctxt, secretKey, dirty_val2);
if (val1 == dirty_val2)
cout << "ThinEvalMap: GOOD\n";
else
cout << "ThinEvalMap: BAD\n";
#endif
FHE_NTIMER_STOP(ALL);
if (!noPrint) {
cout << "\n*********\n";
printAllTimers();
cout << endl;
}
}
int main(int argc, char *argv[])
{
ArgMapping amap;
long m=53;
amap.arg("m", m, "use specified value as modulus");
long p=17;
amap.arg("p", p, "plaintext base");
long r=1;
amap.arg("r", r, "lifting");
long levels=5;
amap.arg("L", levels, "levels");
long nb_coeffs=5;
amap.arg("n", nb_coeffs, "nb coefficients to extract");
amap.parse(argc, argv);
cout << "\n\n******** generate parameters"
<< " m=" << m
<< ", p=" << p
<< ", r=" << r
<< ", n=" << nb_coeffs
<< endl;
setTimersOn();
FHEcontext context(m, p, r);
buildModChain(context, /*L=*/levels);
// cout << context << endl;
// context.zMStar.printout();
// cout << endl;
cout << "Generating keys and key-switching matrices... " << std::flush;
FHESecKey secretKey(context);
secretKey.GenSecKey(/*w=*/64);// A Hamming-weight-w secret key
addFrbMatrices(secretKey); // compute key-switching matrices that we need
add1DMatrices(secretKey); // compute key-switching matrices that we need
const FHEPubKey& publicKey = secretKey;
cout << "done\n";
resetAllTimers();
EncryptedArray ea = *(context.ea);
ea.buildLinPolyMat(false);
Ctxt ctxt(publicKey);
NewPlaintextArray ptxt(ea);
random(ea, ptxt);
// ea.encrypt(ctxt, publicKey, ptxt);
ea.skEncrypt(ctxt, secretKey, ptxt);
cout << "Extracting " << nb_coeffs << " coefficients...";
vector<Ctxt> coeffs;
extractCoeffs(ea, coeffs, ctxt, nb_coeffs);
cout << "done\n";
vector<ZZX> ptxtDec;
ea.decrypt(ctxt, secretKey, ptxtDec);
for (long i=0; i<(long)coeffs.size(); i++) {
if (!coeffs[i].isCorrect()) {
cerr << " potential decryption error for "<<i<<"th coeffs " << endl;
CheckCtxt(coeffs[i], "");
exit(0);
}
vector<ZZX> pCoeffs;
ea.decrypt(coeffs[i], secretKey, pCoeffs);
assert(pCoeffs.size() == ptxtDec.size());
for (int j = 0; j < pCoeffs.size(); ++j) {
if (coeff(pCoeffs[j], 0) != coeff(ptxtDec[j], i)) {
cerr << "error: extracted coefficient " << i << " from "
"slot " << j << " is " << coeff(pCoeffs[j], 0) << " instead of " <<
coeff(ptxtDec[j], i) << endl;
exit(0);
}
}
}
cerr << "Extracted coefficient successfully verified!\n";
}
